ASA防火墙NAT新版老版的配置方法对比

ASA8.3以后，NAT算是发生了很大的改变，之前也看过8.4的ASA改变的还有VPN加入了Ikev2。MPF方法加入了新的东西，QOS和策略都加强了，这算是Cisco把CCSP的课程改为CCNRSecurity的改革吧！拓扑图就是上面的，基本配置都是一样，地址每个路由器上一条默认路由指向 ASAtlscdAiACeaftfdg)*P勺M200.200.200.2Typeescape toabort.Eending5tIOCbyteICMr>Lchosto200^200.200.2ttlNQ^utiB2cecorwdti{F!Ji!suernsr^TfT车ionpercent rownd-ir1paln/^vg/nu*1/4/10ik.叮：Koa風字 人ZW.ETypeescapesequencetoabcrl.fendi5,byrtlCMf>Lchoslo12.1.1.2,Efnacutfs2seconds:I!1[>5jc<rar(■侶LtWpercent(5/>),rnumi-tripnir^avgnax■1 站ciscoiSiCcwTfig)*pin^ ZTypeescape5equenc?toab^rt.Senenq5’J(TObyteICMPEfhodto13.lr1.2,ffneoiitT亍?seconds:111ri!iuctrat^1etoof>er[:直nr round-tripntn/avg/nao(=1/1/20低基本通信没问题，关于 8.3以后推出了两个概念，一个是 networkobject它可以代表一个主机或者子网的访问。另外一个是serviceobject ，代表服务。1、地址池的形式的NAT配置老版本代表一个 的地址池转换成-54—对一的转换global(outside)1200.200.200354新版本(NetworkobjectNAT)ciscoasa(config)#objectnetworkinsideciscoasa(config-network-object)#subnetciscoasa(config-network-object)#exitciscoasa(config)#objectnetworkoutside-poolciscoasa(config-network-object)#range54ciscoasa(config-network-object)#exitciscoasa(config)#objectnetworkinsideciscoasa(config-network-object)#nat(inside,outside)dynamicoutside-pool其实，刚开始接触也挺不习惯的，不过弄懂了就习惯了，它的意思是先定义两个 object,一个用于代表转换前的地址围，一个是转化后的地址围，最后在转换前的 object进行调用转化后的 object。ins1dc#tetn^tTrydngMOD.■ 2t«iQp®1nvcrlTTcaTlenPAs-sword:LUSor HO£t<£>idleLotatfan0con01dl0&：M：10H閒vryoIdle□D：Q0：OOZDQ.7GQ.EGG.interfaceuserEdiePeerAdJ-|outs.ido>由于地址不是一一对应的， 所以这里它就自动选择了。 这里为了清楚表达要在需要的地方调用这个策略，所以输入了两次objectnetworkinside，其实我们看先创建一个地址池，然后在创建一个需要转换的围，然后在这个object里面调用。2、动态PAT多对一的配置老配置里面可以根据一个地址或者直接跟 interface 参数来做nat(inside)1global(outside)1orinterface新版本(NetworkobjectNAT)ciscoasa(config)#objectnetworkinsideciscoasa(config-network-object)#subnetciscoasa(config-network-object)#nat(inside,outside)dynamicinterface2(W・2o6・Tryiinj .Optuiij<tp■ vor1-pvonPasDkrcrd:ftUtElets4tictrLineUserHOStia1«Location□rori0fiilP7* vty0■idlerrrtcrti^literMo4«W诞PeerXdcrtssqul5ido这个策略最简单，就在需要转换的地址进行 NAT配置，这里调用interface 作为转换。如果是一个单一的地址话。ciscoasa(config)#objectnetworkoutside-patciscoasa(config-network-object)#hostciscoasa(config)#objectnetworkinsideciscoasa(config-network-object)#subnetciscoasa(config-network-object)#nat(inside,outside)dynamicoutside-pat 调用outside-pat策略用做PATTrying200.2D0.200.2…Trying200.2D0.200.2…openuserAcceisverificarionpuTsfdp>showuswLine

dcon0*bbvtyCHost(puTsfdp>showuswLine

dcon0*bbvtyCHost(5)idieidleMtxleidleP皀皀，essout£idp>转换成出去了3、StaticNAT 一对一转换老版本，用于服务器公布出去static(inside,outside)新版本(NetworkobjectNAT)ciscoasa(config)#objectnetworkDMZciscoasa(config-network-object)#hostciscoasa(config-network-object)#nat(dmZ,outside)staticciscoasa(config)#access-list100permittcpanyhosteqtelnetciscoasa(config)#access-group100ininterfaceoutsideOdtslde/Tclnct2DD.?O0,2i3O.3Tryirg?00.2M.2DD,3…、UEDTHCSTCl)MoUEDTHCSTCl)MoLCTJTlOri0con0idie00;00;046&vt¥0icHeIrter^aceU^erModePeerUitrAlcess"wer?<_cttfenPissword!□MZ-shOfuser外部访问DMZ没问题，但是这里注意的是在 8.3以前的版本是需要放行转换后的地址，而8.3以后，是放行真实的地址，也就是部地址。这里还可以用一个 obejet来单独设置一个地址，然后在调用。另外如果是http的转换或者这些依赖DNS解析的服务话，而部有是通过公网地址访问的话，那么就加个 DNS参数nat(dmZ,outside)staticdns4、StaticNAT端口转换static(inside,outside)tcp232323新版本(NetworkobjectNAT)ciscoasa(config)#objectnetworkDMZciscoasa(config-network-object)#hostciscoasa(config-network-object)#nat(dmZ,outside)staticciscoasa(config-network-object)#nat(dmZ,outside)staticservicetcptelnet2323这个是格式，前面telnet 是代表部服务的端口号，而后面的代表转换后的端口号。Gustsuui zoo.?523Trring ■斗2123・・・ORenu"r writfcnlanPassword: 这里要加2323的端口号。另外一种转换形式就是跟 interface参数的，它跟8.3以前一样，接口地址不能作为object的一部分，只能通过interface来表示，而不是地址形式。ciscoasa(config-network-object)#nat(dmZ,outside)staticinterfaceservicetcptelnet2323tIi-FLUUJILIIlL jTlOVr~11ILLI 's匚(jms•(匚orrff孚》#show刊匸匚e&s-listacctss^l1STcarnwia£lIoqflows;totalC,cien<fd0(denyflownax4CW)1.1ert-intervaliQOaccess-14st100;1r1ement5；naivehash;Ox{:駅对acces^-11st1QO11ne1exTPndedperalrtcpanvhost13.1.1□?«1EelrWT(Mtcnt-rilff,UMS・(ronf勺曹)* *这里8.3以后放行真实地址的流量就可以了，而不关心转换后的地址。5、IdentityNATnat(inside)0222255在老版本里面有个NATO的策略，分为identity 和bypass，我们通常用的denyVPN流量不做NAT用的是bypass，不过在8.3以后实现方法有点不同。在这个拓扑中，inside 新增加一个的地址，不被转换出去。ciscoasa(config)#objectnetworkinsideciscoasa(config-network-object)#hostciscoasa(config-network-object)#nat(inside,outside)dynamicinterfacefinalde*telnet2D0.200*.200.2/sourct-lnterfacetoTrying200.2<HL200,2…openUitrAccessver1fdc.dLt1onPassword;nujrtsiL1：neuse『Host(si idleLO匚hin0con0Idle (M;09133*G6vty0idle OS:00:00昭£»「FperAddressOutside^默认情况下是转换地址出去的，做个 identity后新版本(NetworkobjectNAT)ciscoasa(config)#objectnetworkinside1ciscoasa(config-network-object)#hostciscoasa(config-network-object)#nat(inside,outside)statictris{de^lelwt2Qi>.200. 2/saurce-interfdce'：o0Tryir.(j?ft3.20-0. ・・，ooen1utpr xiprlfir^TinnOut3ide>s,ni»fluiserLineuserHostts)idleLoeal1onUcon0"1fjl庭• wy0(KJ：CK7：<H»-FirTterfaceU5ET**7dcidlef巳亡厂扎anirrwTri口、

这里自己转换自己，它是优于 PAT的。6policyNATaccess-list100permitiphost 关于网段去往的转换用nat(inside)1access-list100global(outside)1globat(outside)1interface在老版本中，叫做策略 NAT,根据访问不同的网段，转换成不同地址出去。新版本(TwiceNAT)，这个是两次NAT,—般加入了基于目的的元素，而之前的 networkobject只是基于源的，通常情况下使用object就能解决问题了，这个只是在特殊情况下使用。一般我们把 object叫做AutoNAT，而TwiceNAT叫做manualNAT这是outside有个和3.333 的地址，当 的网段访问的时候转换成出去，而其余的就用接口地址转换。ciscoasa(config)#objectnetworkpolicy 这个代表访问ciscoasa(config-network-object)#hostciscoasa(config)#objectnetworkoutside-pat 用这个地址做专门访问 的PATciscoasa(config-network-object)#hostciscoasa(config)#objectnetworkinsideciscoasa(config-network-object)#subnetciscoasa(config-network-object)#nat(inside,outside)dynamicinterface这里定义了部网段，并且用接口地址做 PAT。关于TwiceNAT是在全局下做的，而 AutoNAT是基于:在Object下做的。ciscoasa(config)#nat(inside,outside)sourcedynamicinsideoutside-patdestinationstaticpolicypolicy这个跟普通的AutoNAT，这里多了个destination 目的，policypolicy 这是书写格式。看下效果insideftelnet九九14Trying1.1,1.1…operAct甲,,veri'FicationLlrir0con0

•酿穴¥QLlrir0con0

•酿穴¥QjserL5rrHO5L(53idleidleModeIdle LCXdVl00:06;刃00:00:00200.200.ZOO.3IdI& pQPi"A.ddrps^IinsidcrtelnttJ.J.J*3TryT为F.r7.?*..opor.LineuseridleLocationLineuseridleLocationQcon0-idle*岳Evty0idie00:30:GO206.200,500.：HRPP'TUsvrmodi?jdiePeerjuldre&sLseraccessvsrificaticrPaiswore:ti-UT51dp>shnwkptputsidol效果出来了，访问 的时候用转换，而访问 3.333 的时候用interface 转换出去。VPN流量旁路在老版本里面我们用 NAT0来解决这个问题，而在新版本里面没有 NAT0这个概念了，它用TwiceNAT+Identify 组合的使用access-list100permitiphosthost2222nat(inside)0access-list100objectnetworklocal-vpn-traffichostobjectnetoworkremote-vpn-traffichostnat(inside,outside) sourcestaticlocal-vpn-traffic local-vpn-traffic destinationstaticremote-vpn-trafficremote-vpn-traffic( 全局下)执行顺序：1、 manualNAT:(TwiceNAT):、TwiceNAT+Identify(VPN旁路)、优先选择TwiceNAT有服务的转换、选择 TwiceNAT关于TwiceNAT的顺序完全是谁在最前面谁最优，没有什么比较的，可以通过人为的修改顺序。2、 AutoNAT:1、identify2 、static3 、dynamic其中static是优于dynamic的。如果static 存在多个，那么首先比较子网掩码围，大的优先，也就是 32位由于24位，如果都一样，就比较网络位，小的优先，就是/24网段比/24 优先，最后都相同比较 objectname，字母最前面的优先，也就是 ab是优于bc的Dynamic的话，顺序也跟static一样，只是static是优于dyanmic的NetworkObjectNAT 配置介绍1.DynamicNAT(动态NAT动态一对一)实例一:传统配置方法：nat(Inside)1global(Outside)100-00新配置方法(NetworkObjectNAT)objectnetworkOutside-Nat-Poolrange0000objectnetworkInside-NetworksubnetobjectnetworkInside-Networknat(Inside,Outside)dynamicOutside-Nat-Pool实例二:objectnetworkOutside-Nat-Poolhost01object-groupnetworkOutside-Addressnetwork-objectobjectOutside-Nat-Poolnetwork-objectobjectOutside-PAT-AddressobjectnetworkInside-Network(先100-200动态一对一，然后01动态PAT,最后使用接口地址动态PATnat(Inside,Outside)dynamicOutside-Addressinterface教主认为这种配置方式的好处是，新的 NAT命令绑定了源接口和目的接口，所以不会出现传统配置影响DMZ的问题(当时需要nat0+acl来旁路)2.DynamicPAT(Hide) (动态PAT，动态多对一)传统配置方式：nat(Inside)1新配置方法(NetworkObjectNAT)objectnetworkInside-NetworksubnetobjectnetworkOutside-PAT-Addresshost01objectnetworkInside-Networknat(Inside,Outside) dynamicOutside-PAT-Addressornat(Inside,Outside)dynamic023.StaticNATorStaticNATwithPortTranslation (静态一对一转换，静态端口转换)实例一：(静态一对一转换)传统配置方式：static(Inside,outside)01新配置方法(NetworkObjectNAT)objectnetworkStatic-Outside-AddresshostobjectnetworkStatic-Inside-Addressnat(Inside,Outside)staticStatic-Outside-Addressornat(Inside,Outside)static02实例二：(静态端口转换)传统配置方式：static(inside,outside)tcp02232323新配置方法(NetworkObjectNAT)objectnetworkStatic-Outside-Addresshost01objectnetworkStatic-Inside-Addresshostnat(Inside,Outside)staticStatic-Outside-Addressservicetcptelnet2323ornat(Inside,Outside)static01servicetcptelnet23234.IdentityNAT传统配置方式：nat(inside)055新配置方法(NetworkObjectNAT)objectnetworkInside-AddresshostobjectnetworkInside-Addressnat(Inside,Outside)staticInside-Addressornat(Inside,Outside)staticTwiceNAT(类似于PolicyNAT)实例一:传统配置:access-listinside-to-1permitiphostaccess-listinside-to-202permitiphostnat(inside)1access-listinside-to-1nat(inside)2access-listinside-to-202global(outside)101global(outside)202新配置方法(TwiceNAT):objectnetworkdst-1hostobjectnetworkdst-202hostobjectnetworkpat-1host01objectnetworkpat-2host02objectnetworkInside-Networksubnetnat(Inside,Outside)sourcedynamicInside-Networkpat-1destinationstaticdst-1dst-1nat(Inside,Outside)sourcedynamicInside-Networkpat-2destinationstaticdst-202dst-202实例二：传统配置:access-listinside-to-1permitiphostaccess-listinside-to-202permitiphostnat(inside)1access-listinside-to-1nat(inside)2access-listinside-to-202global(outside)101global(outside)202static(outside」nside)01static(outside,inside)02新配置方法(TwiceNAT):objectnetworkdst-1hostobjectnetworkdst-202hostobjectnetworkpat-1host01objectnetworkpat-2host02objectnetworkInside-Networksubnetobjectnetworkmap-dst-1host01objectnetworkmap-dst-202host02nat(Inside,Outside)sourcedynamicInside-Networkpat-1destinationstaticmap-dst-1dst-1nat(Inside,Outside)sourcedynamicInside-Networkpat-2destinationstaticmap-dst-202dst-202实例三：传统配置:access-list inside-to-1 permittcphosteq23access-listinside-to-202permittcphosteq3032nat(inside)1access-listinside-to-1nat(inside)2access-listinside-to-202global(outside)101global(outside)102新配置方法(TwiceNAT):objectnetworkdst-1hostobjectnetworkdst-202hostobjectnetworkpat-1host01objectnetworkpat-2host02objectnetworkInside-Networksubnetobjectservicetelnet23servicetcpdestinationeqtelnetobjectservicetelnet3032servicetcpdestinationeq3032nat(Inside,Outside)sourcedynamicInside-Networkpat-1destinationstaticdst-1dst-1servicetelnet23telnet23nat(Inside,Outside)sourcedynamicInside-Networkpat-2destinationstaticdst-202dst-202servicetelnet3032telnet3032MainDifferences BetweenNetworkObjectNATandTwiceNAT（NetworkObjectNAT和TwiceNAT的主要区别）Howyoudefinetherealaddress. （从如何定义真实地址的角度来比较）NetworkobjectNAT—YoudefineNATasaparameterforanetworkobject;thenetworkobjectdefinitionitselfprovidestherealaddress.ThismethodletsyoueasilyaddNATtonetworkobjects.Theobjectscanalsobeusedinotherpartsofyourconfiguration,forexample,foraccessrulesorevenintwiceNATrules.TwiceNAT—Youidentifyanetworkobjectornetworkobjectgroupforboththerealandmappedaddresses.Inthiscase,NATisnotaparameterofthenetworkobject;thenetworkobjectorgroupisaparameteroftheNATconfiguration.TheabilitytouseanetworkobjectgroupfortherealaddressmeansthattwiceNATismorescalable.＜为真实和映射后地址定义networkobject或者networkobjectgroup。在twicenat中，NAT不是networkobject的一个参数，networkobject或者group是NAT配置的一个参数。能够为真实地址使用networkobjectgroup，也体现了twicenat的可扩展性。＞HowsourceanddestinationNATisimplemented.（ 源和目的nat被运用）—NetworkobjectNAT—Eachrulecanapplytoeitherthesourceordestinationofapacket.Sotworulesmightbeused,oneforthesourceIPaddress,andoneforthedestinationIPaddress.Thesetworulescannotbetiedtogethertoenforceaspecifictranslationforasource/destinationcombination.＜每一个策略只能运用到数据包的源或者目的，如果要转换一个包的源和目的，需要使用两个策略，这两个策略不能绑定到一起来做实现特殊的源和目的的转换。 ＞-TwiceNAT—Asingleruletranslatesboththesourceanddestination.Amatchingpacketonlymatchestheonerule,andfurtherrulesarenotchecked.Evenifyoudonotconfiguretheoptional destination addressfortwiceNAT,amatchingpacketstillonlymatchesonetwiceNATrule.Thesourceanddestinationaretiedtogether,soyoucanenforcedifferenttranslationsdependingonthesource/destinationcombination.Forexample,sourceA/destinationAcanhaveadifferenttranslationthansourceA/destinationB.＜一个单一策略，既能转换源也能转换目的。一个包只能匹配上一个策略，并且不再做进一步检查了。就算你没有配置twicenat的目的地址选项，一个数据包也只能匹配一个 twicenat策略，目的和源被绑定到一起，因此你能够基于不同的源和目